Privacy Policy

1. Data Controller

For the purposes of the UK GDPR and the Data Protection Act 2018, the data controller is:

If you have any questions about how we process your personal data, you may contact our Data Protection Officer at the details provided in the Contact section below.

2. Lawful Basis for Processing

Under Article 6(1) of the UK GDPR, we rely on the following lawful bases to process your personal data:

• (a)Consent (Article 6(1)(a)): Where you have given clear consent for us to process your personal data for a specific purpose, such as subscribing to marketing communications or opting in to analytics cookies.
• (b)Contract (Article 6(1)(b)): Where processing is necessary for the performance of a contract to which you are a party, or to take steps at your request prior to entering a contract (e.g., creating your account, providing our services).
• (c)Legal Obligation (Article 6(1)(c)): Where processing is necessary for compliance with a legal obligation to which we are subject (e.g., tax and accounting requirements, responding to lawful court orders).
• (f)Legitimate Interests (Article 6(1)(f)): Where processing is necessary for our legitimate interests or those of a third party, provided those interests are not overridden by your rights. Our legitimate interests include improving our services, fraud prevention, network and information security, and internal administration.

3. Personal Data We Collect

Information You Provide Directly

We collect personal data that you voluntarily provide when using our services:

• Full name, email address, telephone number, and postal address
• Company name, job title, and professional role
• Account credentials (username and hashed password)
• Payment and billing information (processed by our PCI-DSS compliant payment processor; we do not store full card details)
• Communications you send to us (enquiries, support tickets, feedback)
• Marketing preferences and subscription settings

Information Collected Automatically

When you access our website or services, we automatically collect certain technical data:

• IP address, browser type and version, operating system
• Device identifiers and screen resolution
• Pages visited, time spent on pages, referral source, and navigation paths
• Log data including access timestamps and error reports
• Information collected via cookies and similar technologies (see Section 8)

Special Category Data

We do not intentionally collect any special category personal data as defined in Article 9 of the UK GDPR (e.g., racial or ethnic origin, political opinions, religious beliefs, health data, biometric data). If you inadvertently provide such data, we will delete it promptly upon discovery.

4. Purposes of Processing

We process your personal data for the following purposes, each linked to a specific lawful basis:

• Service delivery: Providing, operating, and maintaining our AI-powered construction platform (Contract)
• Account management: Creating and managing your user account, processing transactions (Contract)
• Service communications: Sending transactional emails, service updates, and security notices (Contract / Legitimate Interest)
• Product improvement: Analysing usage patterns and feedback to improve our services (Legitimate Interest)
• Security: Detecting, preventing, and responding to fraud, abuse, and security incidents (Legitimate Interest / Legal Obligation)
• Legal compliance: Fulfilling tax, accounting, and regulatory obligations (Legal Obligation)
• Marketing: Sending promotional communications where you have opted in (Consent)

5. Data Sharing and Disclosure

We do not sell, rent, or trade your personal data. We may share your data with the following categories of recipients, each bound by appropriate data processing agreements under Article 28 of the UK GDPR:

• Service providers and sub-processors: Cloud hosting providers, email delivery services, payment processors, and analytics providers who process data on our behalf under written contracts
• Professional advisors: Solicitors, accountants, and auditors where reasonably necessary
• Law enforcement and regulators: Where required by law, court order, or to comply with a legal obligation (e.g., HMRC, ICO)
• Business transfers: In connection with a merger, acquisition, or sale of assets, where your data would be transferred as a business asset (with prior notice where practicable)

We require all third parties to respect the security of your personal data and treat it in accordance with the law.

6. Data Security

In compliance with Article 32 of the UK GDPR, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

• Encryption of personal data in transit (TLS 1.2+) and at rest (AES-256)
• Regular security testing, vulnerability assessments, and penetration testing
• Role-based access controls and multi-factor authentication for internal systems
• Staff training on data protection obligations and information security
• Documented incident response and breach notification procedures in compliance with Articles 33 and 34 of the UK GDPR
• Regular backup procedures and disaster recovery planning

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours and inform affected individuals without undue delay.

7. Your Rights Under UK GDPR

Under the UK GDPR and the Data Protection Act 2018, you have the following rights. These rights are not absolute and may be subject to certain exemptions:

• •Right of Access (Article 15): You may request a copy of the personal data we hold about you. We will respond within one month.
• •Right to Rectification (Article 16): You may request correction of inaccurate or incomplete personal data.
• •Right to Erasure (Article 17): You may request deletion of your personal data where there is no compelling reason for continued processing.
• •Right to Restrict Processing (Article 18): You may request that we restrict processing of your personal data in certain circumstances.
• •Right to Data Portability (Article 20): You may request to receive your personal data in a structured, commonly used, machine-readable format.
• •Right to Object (Article 21): You may object to processing based on legitimate interests or direct marketing at any time.
• •Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
• •Rights Related to Automated Decision-Making (Article 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects.

To exercise any of these rights, please contact us at privacy@buildwellai.com. We will respond within one month. If we need to extend this period (by up to two additional months), we will inform you and explain why.

We will not charge a fee for exercising your rights unless the request is manifestly unfounded or excessive.

8. Cookies and Electronic Communications

In accordance with the Privacy and Electronic Communications Regulations 2003 (PECR) and Regulation 6, we use cookies and similar technologies on our website. We obtain your consent before placing non-essential cookies on your device.

Categories of Cookies

• Strictly Necessary: Essential for the website to function (e.g., session management, authentication). These do not require consent under PECR.
• Analytics and Performance: Help us understand how visitors use our website (e.g., page views, traffic sources). Require your consent.
• Functionality: Remember your preferences and settings. Require your consent.
• Marketing: Used to deliver relevant advertisements and track campaign effectiveness. Require your consent.

You may withdraw cookie consent at any time by adjusting your browser settings or using our cookie preference controls. Disabling certain cookies may affect website functionality.

9. Data Retention

In line with the storage limitation principle (Article 5(1)(e) UK GDPR), we retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:

• Active account data: For the duration of your account and up to 2 years following account closure or last activity
• Transactional records: 6 years from the date of the transaction, as required by HMRC and Companies Act 2006 obligations
• Marketing consent records: For as long as consent is valid, plus 1 year after withdrawal for evidential purposes
• Analytics data: Up to 26 months in anonymised or pseudonymised form
• Support correspondence: Up to 3 years following resolution
• Legal claims: Up to 6 years (Limitation Act 1980) or longer where required for ongoing proceedings

When personal data is no longer required, it will be securely deleted or irreversibly anonymised.

10. International Data Transfers

Your personal data is primarily stored and processed within the United Kingdom. Where we transfer personal data outside the UK, we ensure compliance with Chapter V of the UK GDPR by relying on one or more of the following safeguards:

• Adequacy regulations: Transfers to countries deemed adequate by the UK Secretary of State under Section 17A of the Data Protection Act 2018
• International Data Transfer Agreement (IDTA): The UK-specific standard contractual clauses approved by the ICO
• UK Addendum to EU SCCs: Where applicable, we use the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses
• Binding Corporate Rules: Where approved by the ICO for intra-group transfers

You may request a copy of the safeguards we rely on for international transfers by contacting us.

11. Children's Privacy

Our services are not directed at individuals under the age of 18, and we do not knowingly collect personal data from children. In accordance with Section 9 of the Data Protection Act 2018 and the ICO's Age Appropriate Design Code, if we discover that we have inadvertently collected personal data from a child under 13 (or under 18 without appropriate parental consent where required), we will take steps to delete that data promptly.

12. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices or applicable law. Where changes are material, we will:

• Provide at least 30 days' advance notice via email to registered users
• Display a prominent notice on our website
• Update the "Last updated" and "Effective date" at the top of this policy
• Where changes affect processing based on consent, seek fresh consent as required

We encourage you to review this policy periodically.

13. Right to Lodge a Complaint

If you are dissatisfied with how we handle your personal data, you have the right to lodge a complaint with the UK supervisory authority:

We would appreciate the opportunity to address your concerns before you approach the ICO, so please contact us first at privacy@buildwellai.com.